[PATCH net] bnx2x: Fix multiple UBSAN array-index-out-of-bounds

[PATCH net] bnx2x: Fix multiple UBSAN array-index-out-of-bounds

[Ghadi Elie Rahme]

Fix UBSAN warnings that occur when using a system with 32 physical
cpu cores or more, or when the user defines a number of ethernet
queues greater than or equal to FP_SB_MAX_E1x.

The value of the maximum number of Ethernet queues should be limited
to FP_SB_MAX_E1x in case FCOE is disabled or to [FP_SB_MAX_E1x-1] if
enabled to avoid out of bounds reads and writes.

Stack trace:

UBSAN: array-index-out-of-bounds in /home/kernel/COD/linux/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11
index 20 is out of range for type 'stats_query_entry [19]'
CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic #202405052133
Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, BIOS P89 10/21/2019
Call Trace:
 <TASK>
 dump_stack_lvl+0x76/0xa0
 dump_stack+0x10/0x20
 __ubsan_handle_out_of_bounds+0xcb/0x110
 bnx2x_prep_fw_stats_req+0x2e1/0x310 [bnx2x]
 bnx2x_stats_init+0x156/0x320 [bnx2x]
 bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x]
 bnx2x_nic_load+0x8e8/0x19e0 [bnx2x]
 bnx2x_open+0x16b/0x290 [bnx2x]
 __dev_open+0x10e/0x1d0
 __dev_change_flags+0x1bb/0x240
 ? sock_def_readable+0x52/0xf0
 dev_change_flags+0x27/0x80
 do_setlink+0xab7/0xe50
 ? rtnl_getlink+0x3c7/0x470
 ? __nla_validate_parse+0x49/0x1d0
 rtnl_setlink+0x12f/0x1f0
 ? security_capable+0x47/0x80
 rtnetlink_rcv_msg+0x170/0x440
 ? ep_done_scan+0xe4/0x100
 ? __pfx_rtnetlink_rcv_msg+0x10/0x10
 netlink_rcv_skb+0x5d/0x110
 rtnetlink_rcv+0x15/0x30
 netlink_unicast+0x243/0x380
 netlink_sendmsg+0x213/0x460
 __sys_sendto+0x21e/0x230
 __x64_sys_sendto+0x24/0x40
 x64_sys_call+0x1c33/0x25c0
 do_syscall_64+0x7e/0x180
 ? __task_pid_nr_ns+0x6c/0xc0
 ? syscall_exit_to_user_mode+0x81/0x270
 ? do_syscall_64+0x8b/0x180
 ? do_syscall_64+0x8b/0x180
 ? __task_pid_nr_ns+0x6c/0xc0
 ? syscall_exit_to_user_mode+0x81/0x270
 ? do_syscall_64+0x8b/0x180
 ? do_syscall_64+0x8b/0x180
 ? exc_page_fault+0x93/0x1b0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x736223927a0a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a
RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003
RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080
R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0
R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00
</TASK>
---[ end trace ]---
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in /home/kernel/COD/linux/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1546:11
index 28 is out of range for type 'stats_query_entry [19]'
CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic #202405052133
Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, BIOS P89 10/21/2019
Call Trace:
<TASK>
dump_stack_lvl+0x76/0xa0
dump_stack+0x10/0x20
__ubsan_handle_out_of_bounds+0xcb/0x110
bnx2x_prep_fw_stats_req+0x2fd/0x310 [bnx2x]
bnx2x_stats_init+0x156/0x320 [bnx2x]
bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x]
bnx2x_nic_load+0x8e8/0x19e0 [bnx2x]
bnx2x_open+0x16b/0x290 [bnx2x]
__dev_open+0x10e/0x1d0
__dev_change_flags+0x1bb/0x240
? sock_def_readable+0x52/0xf0
dev_change_flags+0x27/0x80
do_setlink+0xab7/0xe50
? rtnl_getlink+0x3c7/0x470
? __nla_validate_parse+0x49/0x1d0
rtnl_setlink+0x12f/0x1f0
? security_capable+0x47/0x80
rtnetlink_rcv_msg+0x170/0x440
? ep_done_scan+0xe4/0x100
? __pfx_rtnetlink_rcv_msg+0x10/0x10
netlink_rcv_skb+0x5d/0x110
rtnetlink_rcv+0x15/0x30
netlink_unicast+0x243/0x380
netlink_sendmsg+0x213/0x460
__sys_sendto+0x21e/0x230
__x64_sys_sendto+0x24/0x40
x64_sys_call+0x1c33/0x25c0
do_syscall_64+0x7e/0x180
? __task_pid_nr_ns+0x6c/0xc0
? syscall_exit_to_user_mode+0x81/0x270
? do_syscall_64+0x8b/0x180
? do_syscall_64+0x8b/0x180
? __task_pid_nr_ns+0x6c/0xc0
? syscall_exit_to_user_mode+0x81/0x270
? do_syscall_64+0x8b/0x180
? do_syscall_64+0x8b/0x180
? exc_page_fault+0x93/0x1b0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x736223927a0a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a
RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003
RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080
R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0
R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00
 </TASK>
---[ end trace ]---
bnx2x 0000:04:00.1: 32.000 Gb/s available PCIe bandwidth (5.0 GT/s PCIe x8 link)
bnx2x 0000:04:00.1 eno50: renamed from eth0
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in /home/kernel/COD/linux/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:1895:8
index 29 is out of range for type 'stats_query_entry [19]'
CPU: 13 PID: 163 Comm: kworker/u96:1 Not tainted 6.9.0-060900rc7-generic #202405052133
Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, BIOS P89 10/21/2019
Workqueue: bnx2x bnx2x_sp_task [bnx2x]
Call Trace:
 <TASK>
 dump_stack_lvl+0x76/0xa0
 dump_stack+0x10/0x20
 __ubsan_handle_out_of_bounds+0xcb/0x110
 bnx2x_iov_adjust_stats_req+0x3c4/0x3d0 [bnx2x]
 bnx2x_storm_stats_post.part.0+0x4a/0x330 [bnx2x]
 ? bnx2x_hw_stats_post+0x231/0x250 [bnx2x]
 bnx2x_stats_start+0x44/0x70 [bnx2x]
 bnx2x_stats_handle+0x149/0x350 [bnx2x]
 bnx2x_attn_int_asserted+0x998/0x9b0 [bnx2x]
 bnx2x_sp_task+0x491/0x5c0 [bnx2x]
 process_one_work+0x18d/0x3f0
 worker_thread+0x304/0x440
 ? __pfx_worker_thread+0x10/0x10
 kthread+0xe4/0x110
 ? __pfx_kthread+0x10/0x10
 ret_from_fork+0x47/0x70
 ? __pfx_kthread+0x10/0x10
 ret_from_fork_asm+0x1a/0x30
 </TASK>
---[ end trace ]---

Fixes: 7d0445d66a76 ("bnx2x: clamp num_queues to prevent passing a negative value")
Signed-off-by: Ghadi Elie Rahme <ghadi.rahme@canonical.com>
---
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
index a8e07e51418f..837617b99089 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
@@ -66,7 +66,12 @@ static int bnx2x_calc_num_queues(struct bnx2x *bp)
 	if (is_kdump_kernel())
 		nq = 1;
 
-	nq = clamp(nq, 1, BNX2X_MAX_QUEUES(bp));
+	int max_nq = FP_SB_MAX_E1x - 1;
+
+	if(NO_FCOE(bp))
+		max_nq = FP_SB_MAX_E1x;
+
+	nq = clamp(nq, 1, max_nq);
 	return nq;
 }
 
-- 
2.43.0

Re: [PATCH net] bnx2x: Fix multiple UBSAN array-index-out-of-bounds

[Greg KH]

On Wed, Jun 12, 2024 at 04:56:57PM +0300, Ghadi Elie Rahme wrote:
> Fix UBSAN warnings that occur when using a system with 32 physical
> cpu cores or more, or when the user defines a number of ethernet
> queues greater than or equal to FP_SB_MAX_E1x.
> 
> The value of the maximum number of Ethernet queues should be limited
> to FP_SB_MAX_E1x in case FCOE is disabled or to [FP_SB_MAX_E1x-1] if
> enabled to avoid out of bounds reads and writes.
> 
> Stack trace:
> 
> UBSAN: array-index-out-of-bounds in /home/kernel/COD/linux/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11
> index 20 is out of range for type 'stats_query_entry [19]'
> CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic #202405052133
> Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, BIOS P89 10/21/2019
> Call Trace:
>  <TASK>
>  dump_stack_lvl+0x76/0xa0
>  dump_stack+0x10/0x20
>  __ubsan_handle_out_of_bounds+0xcb/0x110
>  bnx2x_prep_fw_stats_req+0x2e1/0x310 [bnx2x]
>  bnx2x_stats_init+0x156/0x320 [bnx2x]
>  bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x]
>  bnx2x_nic_load+0x8e8/0x19e0 [bnx2x]
>  bnx2x_open+0x16b/0x290 [bnx2x]
>  __dev_open+0x10e/0x1d0
>  __dev_change_flags+0x1bb/0x240
>  ? sock_def_readable+0x52/0xf0
>  dev_change_flags+0x27/0x80
>  do_setlink+0xab7/0xe50
>  ? rtnl_getlink+0x3c7/0x470
>  ? __nla_validate_parse+0x49/0x1d0
>  rtnl_setlink+0x12f/0x1f0
>  ? security_capable+0x47/0x80
>  rtnetlink_rcv_msg+0x170/0x440
>  ? ep_done_scan+0xe4/0x100
>  ? __pfx_rtnetlink_rcv_msg+0x10/0x10
>  netlink_rcv_skb+0x5d/0x110
>  rtnetlink_rcv+0x15/0x30
>  netlink_unicast+0x243/0x380
>  netlink_sendmsg+0x213/0x460
>  __sys_sendto+0x21e/0x230
>  __x64_sys_sendto+0x24/0x40
>  x64_sys_call+0x1c33/0x25c0
>  do_syscall_64+0x7e/0x180
>  ? __task_pid_nr_ns+0x6c/0xc0
>  ? syscall_exit_to_user_mode+0x81/0x270
>  ? do_syscall_64+0x8b/0x180
>  ? do_syscall_64+0x8b/0x180
>  ? __task_pid_nr_ns+0x6c/0xc0
>  ? syscall_exit_to_user_mode+0x81/0x270
>  ? do_syscall_64+0x8b/0x180
>  ? do_syscall_64+0x8b/0x180
>  ? exc_page_fault+0x93/0x1b0
>  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> RIP: 0033:0x736223927a0a
> Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
> RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
> RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a
> RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003
> RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0
> R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00
> </TASK>
> ---[ end trace ]---
> ------------[ cut here ]------------
> UBSAN: array-index-out-of-bounds in /home/kernel/COD/linux/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1546:11
> index 28 is out of range for type 'stats_query_entry [19]'
> CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic #202405052133
> Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, BIOS P89 10/21/2019
> Call Trace:
> <TASK>
> dump_stack_lvl+0x76/0xa0
> dump_stack+0x10/0x20
> __ubsan_handle_out_of_bounds+0xcb/0x110
> bnx2x_prep_fw_stats_req+0x2fd/0x310 [bnx2x]
> bnx2x_stats_init+0x156/0x320 [bnx2x]
> bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x]
> bnx2x_nic_load+0x8e8/0x19e0 [bnx2x]
> bnx2x_open+0x16b/0x290 [bnx2x]
> __dev_open+0x10e/0x1d0
> __dev_change_flags+0x1bb/0x240
> ? sock_def_readable+0x52/0xf0
> dev_change_flags+0x27/0x80
> do_setlink+0xab7/0xe50
> ? rtnl_getlink+0x3c7/0x470
> ? __nla_validate_parse+0x49/0x1d0
> rtnl_setlink+0x12f/0x1f0
> ? security_capable+0x47/0x80
> rtnetlink_rcv_msg+0x170/0x440
> ? ep_done_scan+0xe4/0x100
> ? __pfx_rtnetlink_rcv_msg+0x10/0x10
> netlink_rcv_skb+0x5d/0x110
> rtnetlink_rcv+0x15/0x30
> netlink_unicast+0x243/0x380
> netlink_sendmsg+0x213/0x460
> __sys_sendto+0x21e/0x230
> __x64_sys_sendto+0x24/0x40
> x64_sys_call+0x1c33/0x25c0
> do_syscall_64+0x7e/0x180
> ? __task_pid_nr_ns+0x6c/0xc0
> ? syscall_exit_to_user_mode+0x81/0x270
> ? do_syscall_64+0x8b/0x180
> ? do_syscall_64+0x8b/0x180
> ? __task_pid_nr_ns+0x6c/0xc0
> ? syscall_exit_to_user_mode+0x81/0x270
> ? do_syscall_64+0x8b/0x180
> ? do_syscall_64+0x8b/0x180
> ? exc_page_fault+0x93/0x1b0
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
> RIP: 0033:0x736223927a0a
> Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
> RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
> RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a
> RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003
> RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0
> R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00
>  </TASK>
> ---[ end trace ]---
> bnx2x 0000:04:00.1: 32.000 Gb/s available PCIe bandwidth (5.0 GT/s PCIe x8 link)
> bnx2x 0000:04:00.1 eno50: renamed from eth0
> ------------[ cut here ]------------
> UBSAN: array-index-out-of-bounds in /home/kernel/COD/linux/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:1895:8
> index 29 is out of range for type 'stats_query_entry [19]'
> CPU: 13 PID: 163 Comm: kworker/u96:1 Not tainted 6.9.0-060900rc7-generic #202405052133
> Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, BIOS P89 10/21/2019
> Workqueue: bnx2x bnx2x_sp_task [bnx2x]
> Call Trace:
>  <TASK>
>  dump_stack_lvl+0x76/0xa0
>  dump_stack+0x10/0x20
>  __ubsan_handle_out_of_bounds+0xcb/0x110
>  bnx2x_iov_adjust_stats_req+0x3c4/0x3d0 [bnx2x]
>  bnx2x_storm_stats_post.part.0+0x4a/0x330 [bnx2x]
>  ? bnx2x_hw_stats_post+0x231/0x250 [bnx2x]
>  bnx2x_stats_start+0x44/0x70 [bnx2x]
>  bnx2x_stats_handle+0x149/0x350 [bnx2x]
>  bnx2x_attn_int_asserted+0x998/0x9b0 [bnx2x]
>  bnx2x_sp_task+0x491/0x5c0 [bnx2x]
>  process_one_work+0x18d/0x3f0
>  worker_thread+0x304/0x440
>  ? __pfx_worker_thread+0x10/0x10
>  kthread+0xe4/0x110
>  ? __pfx_kthread+0x10/0x10
>  ret_from_fork+0x47/0x70
>  ? __pfx_kthread+0x10/0x10
>  ret_from_fork_asm+0x1a/0x30
>  </TASK>
> ---[ end trace ]---
> 
> Fixes: 7d0445d66a76 ("bnx2x: clamp num_queues to prevent passing a negative value")
> Signed-off-by: Ghadi Elie Rahme <ghadi.rahme@canonical.com>
> ---
>  drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> index a8e07e51418f..837617b99089 100644
> --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
> @@ -66,7 +66,12 @@ static int bnx2x_calc_num_queues(struct bnx2x *bp)
>  	if (is_kdump_kernel())
>  		nq = 1;
>  
> -	nq = clamp(nq, 1, BNX2X_MAX_QUEUES(bp));
> +	int max_nq = FP_SB_MAX_E1x - 1;
> +
> +	if(NO_FCOE(bp))
> +		max_nq = FP_SB_MAX_E1x;
> +
> +	nq = clamp(nq, 1, max_nq);
>  	return nq;
>  }
>  
> -- 
> 2.43.0
> 
> 

Did you not run checkpatch on this?

Also:

<formletter>

This is not the correct way to submit patches for inclusion in the
stable kernel tree.  Please read:
    https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.

</formletter>

Re: [PATCH net] bnx2x: Fix multiple UBSAN array-index-out-of-bounds

[Ghadi Rahme]

Apologies, I accidentally sent an older version of the patch before
checkpatch was ran and noticed it right after sending it. I will re-upload
the proper version as soon as I am able to.

On 12/06/2024 17:06, Greg KH wrote:
> On Wed, Jun 12, 2024 at 04:56:57PM +0300, Ghadi Elie Rahme wrote:
>> Fix UBSAN warnings that occur when using a system with 32 physical
>> cpu cores or more, or when the user defines a number of ethernet
>> queues greater than or equal to FP_SB_MAX_E1x.
>>
>> The value of the maximum number of Ethernet queues should be limited
>> to FP_SB_MAX_E1x in case FCOE is disabled or to [FP_SB_MAX_E1x-1] if
>> enabled to avoid out of bounds reads and writes.
>>
>> Stack trace:
>>
>> UBSAN: array-index-out-of-bounds in /home/kernel/COD/linux/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11
>> index 20 is out of range for type 'stats_query_entry [19]'
>> CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic #202405052133
>> Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, BIOS P89 10/21/2019
>> Call Trace:
>>   <TASK>
>>   dump_stack_lvl+0x76/0xa0
>>   dump_stack+0x10/0x20
>>   __ubsan_handle_out_of_bounds+0xcb/0x110
>>   bnx2x_prep_fw_stats_req+0x2e1/0x310 [bnx2x]
>>   bnx2x_stats_init+0x156/0x320 [bnx2x]
>>   bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x]
>>   bnx2x_nic_load+0x8e8/0x19e0 [bnx2x]
>>   bnx2x_open+0x16b/0x290 [bnx2x]
>>   __dev_open+0x10e/0x1d0
>>   __dev_change_flags+0x1bb/0x240
>>   ? sock_def_readable+0x52/0xf0
>>   dev_change_flags+0x27/0x80
>>   do_setlink+0xab7/0xe50
>>   ? rtnl_getlink+0x3c7/0x470
>>   ? __nla_validate_parse+0x49/0x1d0
>>   rtnl_setlink+0x12f/0x1f0
>>   ? security_capable+0x47/0x80
>>   rtnetlink_rcv_msg+0x170/0x440
>>   ? ep_done_scan+0xe4/0x100
>>   ? __pfx_rtnetlink_rcv_msg+0x10/0x10
>>   netlink_rcv_skb+0x5d/0x110
>>   rtnetlink_rcv+0x15/0x30
>>   netlink_unicast+0x243/0x380
>>   netlink_sendmsg+0x213/0x460
>>   __sys_sendto+0x21e/0x230
>>   __x64_sys_sendto+0x24/0x40
>>   x64_sys_call+0x1c33/0x25c0
>>   do_syscall_64+0x7e/0x180
>>   ? __task_pid_nr_ns+0x6c/0xc0
>>   ? syscall_exit_to_user_mode+0x81/0x270
>>   ? do_syscall_64+0x8b/0x180
>>   ? do_syscall_64+0x8b/0x180
>>   ? __task_pid_nr_ns+0x6c/0xc0
>>   ? syscall_exit_to_user_mode+0x81/0x270
>>   ? do_syscall_64+0x8b/0x180
>>   ? do_syscall_64+0x8b/0x180
>>   ? exc_page_fault+0x93/0x1b0
>>   entry_SYSCALL_64_after_hwframe+0x76/0x7e
>> RIP: 0033:0x736223927a0a
>> Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
>> RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
>> RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a
>> RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003
>> RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080
>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0
>> R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00
>> </TASK>
>> ---[ end trace ]---
>> ------------[ cut here ]------------
>> UBSAN: array-index-out-of-bounds in /home/kernel/COD/linux/drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1546:11
>> index 28 is out of range for type 'stats_query_entry [19]'
>> CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic #202405052133
>> Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, BIOS P89 10/21/2019
>> Call Trace:
>> <TASK>
>> dump_stack_lvl+0x76/0xa0
>> dump_stack+0x10/0x20
>> __ubsan_handle_out_of_bounds+0xcb/0x110
>> bnx2x_prep_fw_stats_req+0x2fd/0x310 [bnx2x]
>> bnx2x_stats_init+0x156/0x320 [bnx2x]
>> bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x]
>> bnx2x_nic_load+0x8e8/0x19e0 [bnx2x]
>> bnx2x_open+0x16b/0x290 [bnx2x]
>> __dev_open+0x10e/0x1d0
>> __dev_change_flags+0x1bb/0x240
>> ? sock_def_readable+0x52/0xf0
>> dev_change_flags+0x27/0x80
>> do_setlink+0xab7/0xe50
>> ? rtnl_getlink+0x3c7/0x470
>> ? __nla_validate_parse+0x49/0x1d0
>> rtnl_setlink+0x12f/0x1f0
>> ? security_capable+0x47/0x80
>> rtnetlink_rcv_msg+0x170/0x440
>> ? ep_done_scan+0xe4/0x100
>> ? __pfx_rtnetlink_rcv_msg+0x10/0x10
>> netlink_rcv_skb+0x5d/0x110
>> rtnetlink_rcv+0x15/0x30
>> netlink_unicast+0x243/0x380
>> netlink_sendmsg+0x213/0x460
>> __sys_sendto+0x21e/0x230
>> __x64_sys_sendto+0x24/0x40
>> x64_sys_call+0x1c33/0x25c0
>> do_syscall_64+0x7e/0x180
>> ? __task_pid_nr_ns+0x6c/0xc0
>> ? syscall_exit_to_user_mode+0x81/0x270
>> ? do_syscall_64+0x8b/0x180
>> ? do_syscall_64+0x8b/0x180
>> ? __task_pid_nr_ns+0x6c/0xc0
>> ? syscall_exit_to_user_mode+0x81/0x270
>> ? do_syscall_64+0x8b/0x180
>> ? do_syscall_64+0x8b/0x180
>> ? exc_page_fault+0x93/0x1b0
>> entry_SYSCALL_64_after_hwframe+0x76/0x7e
>> RIP: 0033:0x736223927a0a
>> Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
>> RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
>> RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a
>> RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003
>> RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080
>> R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0
>> R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00
>>   </TASK>
>> ---[ end trace ]---
>> bnx2x 0000:04:00.1: 32.000 Gb/s available PCIe bandwidth (5.0 GT/s PCIe x8 link)
>> bnx2x 0000:04:00.1 eno50: renamed from eth0
>> ------------[ cut here ]------------
>> UBSAN: array-index-out-of-bounds in /home/kernel/COD/linux/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:1895:8
>> index 29 is out of range for type 'stats_query_entry [19]'
>> CPU: 13 PID: 163 Comm: kworker/u96:1 Not tainted 6.9.0-060900rc7-generic #202405052133
>> Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9, BIOS P89 10/21/2019
>> Workqueue: bnx2x bnx2x_sp_task [bnx2x]
>> Call Trace:
>>   <TASK>
>>   dump_stack_lvl+0x76/0xa0
>>   dump_stack+0x10/0x20
>>   __ubsan_handle_out_of_bounds+0xcb/0x110
>>   bnx2x_iov_adjust_stats_req+0x3c4/0x3d0 [bnx2x]
>>   bnx2x_storm_stats_post.part.0+0x4a/0x330 [bnx2x]
>>   ? bnx2x_hw_stats_post+0x231/0x250 [bnx2x]
>>   bnx2x_stats_start+0x44/0x70 [bnx2x]
>>   bnx2x_stats_handle+0x149/0x350 [bnx2x]
>>   bnx2x_attn_int_asserted+0x998/0x9b0 [bnx2x]
>>   bnx2x_sp_task+0x491/0x5c0 [bnx2x]
>>   process_one_work+0x18d/0x3f0
>>   worker_thread+0x304/0x440
>>   ? __pfx_worker_thread+0x10/0x10
>>   kthread+0xe4/0x110
>>   ? __pfx_kthread+0x10/0x10
>>   ret_from_fork+0x47/0x70
>>   ? __pfx_kthread+0x10/0x10
>>   ret_from_fork_asm+0x1a/0x30
>>   </TASK>
>> ---[ end trace ]---
>>
>> Fixes: 7d0445d66a76 ("bnx2x: clamp num_queues to prevent passing a negative value")
>> Signed-off-by: Ghadi Elie Rahme <ghadi.rahme@canonical.com>
>> ---
>>   drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 7 ++++++-
>>   1 file changed, 6 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
>> index a8e07e51418f..837617b99089 100644
>> --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
>> +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
>> @@ -66,7 +66,12 @@ static int bnx2x_calc_num_queues(struct bnx2x *bp)
>>   	if (is_kdump_kernel())
>>   		nq = 1;
>>   
>> -	nq = clamp(nq, 1, BNX2X_MAX_QUEUES(bp));
>> +	int max_nq = FP_SB_MAX_E1x - 1;
>> +
>> +	if(NO_FCOE(bp))
>> +		max_nq = FP_SB_MAX_E1x;
>> +
>> +	nq = clamp(nq, 1, max_nq);
>>   	return nq;
>>   }
>>   
>> -- 
>> 2.43.0
>>
>>
> Did you not run checkpatch on this?
>
> Also:
>
> <formletter>
>
> This is not the correct way to submit patches for inclusion in the
> stable kernel tree.  Please read:
>      https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> for how to do this properly.
>
> </formletter>